CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2986
https://notcve.org/view.php?id=CVE-2022-2986
06 Oct 2022 — Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk. Habilitando y deshabilitando las bibliotecas H5P instaladas no incluía el token necesario para prevenir un riesgo de tipo CSRF • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75326 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-40316
https://notcve.org/view.php?id=CVE-2022-40316
30 Sep 2022 — The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to. El informe de intentos de actividad de H5P no filtró por grupos, lo que en el modo de grupos separados podría revelar información a profesores no editores sobre intentos/usuarios en grupos a los que no deberían tener acceso • https://bugzilla.redhat.com/show_bug.cgi?id=2128151 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2022-40315
https://notcve.org/view.php?id=CVE-2022-40315
30 Sep 2022 — A limited SQL injection risk was identified in the "browse list of users" site administration page. Se ha identificado un riesgo limitado de inyección SQL en la página de administración del sitio "browse list of users" • https://bugzilla.redhat.com/show_bug.cgi?id=2128150 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-40313
https://notcve.org/view.php?id=CVE-2022-40313
30 Sep 2022 — Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load. Una renderización recursiva de los helpers de las plantillas de Mustache que contienen entradas de usuario podría, en algunos casos, resultar en un riesgo de tipo XSS o a un fallo en la carga de la página • https://bugzilla.redhat.com/show_bug.cgi?id=2128146 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 8%CPEs: 3EXPL: 0CVE-2022-40314
https://notcve.org/view.php?id=CVE-2022-40314
30 Sep 2022 — A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified. Se ha identificado un riesgo de ejecución de código remota cuando son restaurados archivos de copia de seguridad procedentes de Moodle versión 1.9 • https://bugzilla.redhat.com/show_bug.cgi?id=2128147 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 1CVE-2021-36568
https://notcve.org/view.php?id=CVE-2021-36568
13 Sep 2022 — In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7. En determinados productos Moodle después de crear un curso, es posible añadir en un "Topic" arbitrario un recurso, en este caso una "Database" con el tipo "Text" donde sus valores "Field na... • https://blog.hackingforce.com.br/en/cve-2021-36568 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 76%CPEs: 12EXPL: 0CVE-2022-35653
https://notcve.org/view.php?id=CVE-2022-35653
25 Jul 2022 — A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2022-35652
https://notcve.org/view.php?id=CVE-2022-35652
25 Jul 2022 — An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information. Se ha encontrado un problema de redireccionamiento abierto en Moodle debido a un saneamiento inapr... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 12EXPL: 0CVE-2022-35651
https://notcve.org/view.php?id=CVE-2022-35651
25 Jul 2022 — A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. Se encontró una vulnerabilidad de tipo XSS almacenado y SSRF... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71921 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 8%CPEs: 5EXPL: 0CVE-2022-35650
https://notcve.org/view.php?id=CVE-2022-35650
25 Jul 2022 — The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default. La vulnerabilidad se encontró en Moodle, es producido debido a un error de comprobación de entrada cuando son importadas las preguntas de las lecciones... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72029 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •